cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
286574
Views
132
Helpful
7
Replies

The "no ip redirects" Command

smith.tom
Level 1
Level 1

What is the purpose of issuing the "no ip redirects" command on a router interface?

7 Replies 7

donewald
Level 6
Level 6

It keeps the router from sending redirect messages to clients (ICMP). These are for when I router would know a more optimal path for a client to take rather than taking itself. It sends a ICMP Redirect to the client pointing it to another next-hop, rather than itself, for a given destination in hopes the client will take this new next hop to this destination.

Hope this helps,

Don

That helps.

Thanks

How does "no ip redirects" command issued on router interfaces improve network security, I have come across documentation stating that. Could also please explain why "ip unreachables" are turned off on serial interfaces and enabled on Ethernet or Fastethernet interfaces of routers?

Thanks,

RAJ

It improves security because if someone inserts another router on the network that the admins may not know about, it will not send the devices traffic to the other questionable device. The questionable device may have routes to outside networks that aren't approved, or doing other things wih the packets it receives. Turning off redirects (and proxy-arp) enforces routing policy also.

Serial interfaces don't really need to send unreachables... users traffic should go to a LAN interface as a next-hop and not a serial interface. You can also disable unreachables on a LAN interface if you want. This is a security item as well as a enforcement measure for good network design. there should be no unreachables sent if hosts are sending packets to known networks in your organization that are reachable.

sukesh tandon
Level 1
Level 1

HI all,

i just removed no ip unreachable from the dialer interface.

A serial interface had dialer interface as backup but the auto triggering of ISDN was not happening on the dialer interface.

When i removed this command then it started happening. Any one of you could tell me the issue.

Feel free to contact me on sukki151190@gmail.com

Sukesh Tandon

Ravi Singh
Level 7
Level 7

no ip redirects--this disables icmp redirect messages. Redirects happen  when a router recognizes a packet arriving on an interface and the best  route is out that same interface. In that case the router sends an icmp  redirect back to the source telling them about a better router on the  same subnet. Subsequent packets take the optimal path. If you disable  this, the packets would have continued using the sub optimal path (in  this scenario).

It also improves security because if someone inserts another router on the  network that the admins may not know about, it will not send the devices  traffic to the other questionable device.

You can take an example of DMVPN hub and spoke setup where all the traffic is being sent to hub from all the spokes now to make these spokes understand that they can send and receive traffic to each other, this command is configured in the hub router informing the spoke that they can have more optimal path. 

Please do not hesitate to click the STAR button if you are satisfied with my answer.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: